class RuboCop::Cop::GitlabSecurity::SystemCommandInjection

Check for use of system(“/bin/ls #{params}”)

Passing user input to system() without sanitization and parameterization can result in command injection

@example

# bad
system("/bin/ls #{filename}")

# good (parameters)
system("/bin/ls", filename)
# even better
exec("/bin/ls", shell_escape(filename))

Constants

MSG

Public Instance Methods

on_send(node) click to toggle source
# File lib/rubocop/cop/gitlab-security/system_command_injection.rb, line 26
def on_send(node)
  return unless node.command?(:system)
  return unless node.arguments.any? { |e| system_var?(e) }

  add_offense(node, location: :selector)
end